MAY 25 200B 13:17 FR KING AND SPALDING 404 572 5134 TO 555 1 8054568 1 0503 P 



Application Serial No. 09/874,574 

1. (Currently Amended) A computer-implemented method comprising: 

identifying a plurality of data signatures relevant to computer security; 

designating an alert condition value to each Hata signature hased on each data 
signature itself and contextual information as s orted with the data signature, the contextual 
information comprising at least one of an applica t ion laver data field type used to encapsulate the 
data signature and an application layer protocol type us e d to transmit the data signature, the alert 
condition value indicating a security risk level relative to di fferent data signatures and relative to 
other identical data signatures associated with dif ferent contextual information- 

creating a table comprising the contextual information, the data signatures, and 

the alert condition values; 

detecting a data signature by evaluating communications at an application layer 

level between a target and a suspect; 

correlating said data signature with an application layer fingerprint of the target to 
determine to what extent said target is vulnerable to said data signature; 

evaluating contextual information related to the data signature by comparing the 
contextual information and the data signature to the table in order to determine a likelihood that 
said target is under attac k r 4ho oonto?ctual information oomprioing at loaot on e of an application 
layer data fjoid typo uood to onoaptiulato tho data oignaturo and an application layer protocol typ e 
used to tranomit tho data cisn n P i re ; and 

assigning an alert condition value to the data signature based on the comparison 
of the contextual information and data signature to data in the table. 



2. (Cancelled). 

3. (Original) The method as in Claim 1 wherein said fingerprint includes said 
target node's operating system version. 

4. (Original) The method as in Claim 1 wherein said fingerprint includes said 
target node's processor type. 



5. (Cancelled). 
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6. (Original) The method as in Claim 1 further comprising: 

generating a first alert condition upon determining that said target node is 
vulnerable to said data signature. 

7. (Original) The method as in Claim 1 further comprising: 
listening for a response to said data signature from said target. 

8. (Original) ' The method as in Claim 7 further comprising: 

determining whether said target node's response or lack of a response is 

suspicious. 

9. (Original) The method as in Claim 8 wherein determining whether said 
target's response is suspicious comprises determining whether said target's response is an 
''unknown command" response. 

10. (Original) The method as in Claim 8 further comprising: 

generating a second alert condition upon determining that said target node's 
response or lack of a response is suspicious 

1 1 . (Original) The method as in Claim 10 further comprising: 

combining the second alert with the first, thereby updating the first alert with 
information within the second alert. 

12. (Original) The method as in Claim 1 further comprising: 
listening for behavior of said target node; and 

generating a second alert condition upon determining that said target node's 
behavior is suspicious. 

13. (Original) The method as in Claim 11 wherein said target node's suspicious 
behavior comprises transmitting a root shell prompt to a suspect node. 
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14. (Currently Amended) A computer-implemented method comprising; 

identifying a plurality of data signatu res relevant to computer security 

designating an alert condition value to each data signature based on each data 
signature itself and contextual information associated with the data signatory the contextual 
information co mprising at least one of an applicat ion layer data fi eld type used to encapsulate the 
data signature and an application layer Protocol type used to transmit the data signature, the alert 
condition value indicating a security risk lev el relative to different data signatures and relative to 
other identical data signatures associated with diffe rent contextual information! 

creating a table comprising the data gipnatm-es. contextual information, and alert 
condition values provid e d in oontoxt ; 

identifying a data signature encapsulated in an application layer data field and 

directed at a target using an application layer protocol; 

evaluating a context of the data signature by one of: 
reviewing the application layer data field type; 
reviewing the application layer protocol type; 
comparing the evaluated context of the data signature to the table; 
determining whether said data signature poses a threat based on said context of 
said data signature; and 

assigning an alert condition value to the data signature based on the comparison 

of the context to data in the table. 

15. (Cancelled.) 

16. (Previously Presented) The method as in Claim 14 wherein said protocol is 
the HyperText Transport Protocol ("HTTP"). 

17. (Original) The method as in Claim 16 further comprising: 

determining that said data signature poses a threat if said data signature is *7cgi- 
bin/phl H embedded in the header of said HTTP data transmission. 
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18. (Original) The method as in Claim 14 further comprising 

evaluating whether said data signature poses a threat based on a fingerprint of said 

target 

19. (Original) The method as in Claim 18 wherein said fingerprint is comprised 
of a particular service executed on said target 

20. (Original) The method as in Claim 18 wherein said fingerprint is comprised 
of a particular operating system executed on said target, 

21. (Original) The method as in Claim 18 wherein said fingerprint is comprised 
of a particular hardware platform of said target. 

22. (Original) The method as in Claim 14 further comprising: 

monitoring responses from said target following said data signature; and 
determining a likelihood of whether said target is under attack based on data signatures of said 
responses. 

23. (Original) The method as in Claim 22 wherein said target response is a non- 
protocol response. 

24. (Original) The method as in Claim 23 wherein said data signature is 
transmitted to the target using the file transfer protocol ("FTP") and said non-protocol response 
indicates a raw shell connection to said target 



[The remainder of this page has been intentionally left blank.] 
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25. (Currently Amended) A computer-implemented method comprising: 

identifying a plurality of data si gnatures rele vant to computer security; 

H^ pnating a relative alert condition w W- to each data signature based on each 
A*t» si (mature itself and contextual inf o rmation associated with the data signature, the contextual 
information comprising at least one of an amplication W*r data field tvne used to encapsulate the 
Hata signature and an application lave r protocol type used to transmit the data signature, the alert 
coition value indicating a security risk level relative to different data signatures and relative to 
other identical data signatures associated with different c ontextual information; 

creating a table comprising the contextual information, the data signatures, and 

the relative alert condition values; 

monitoring a plurality of data transmissions at an applications layer level between 
a suspect and a target to identify one or more data signatures, said data transmissions indicating a 
current state of communication between said suspect and said target; 

evaluating contextual information related to each data signature by comparing the 
contextual information and data signatures to the tab L, tho oontoxtual information oomprioing a t 
loaot on o of an application layer data field typo uaod to ononpoulato a roopoctrvo data signature) 
and on application layer protoool typo ucod to tm n nmit a roopBotivo data oignature; 

evaluating a likelihood that said target is under attack based on the contextual 
information of one or more data signatures of said transmissions and said current state of 
communication; and 

assigning a relative alert condition value to the data signature based on the 
comparison of the contextual information to data in the table. 

26. (Original) The method as in Claim 25 wherein said current state of 
communication is based on a known protocol with which said data transmissions are 
transmitted/received between said suspect and target. 

27. (Original) The method as in Claim 26 wherein said known protocol is FTP. 

28. (Original) The method as in Claim 27 wherein one of said data signatures is 
the filename "passwd" in a context in which filenames are likely to appear. 
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29, (Original) The method as in Claim 25 further comprising: 

monitoring responses from said target following said data signature; and 
determining a likelihood of whether said target is under attack based on data signatures of said 
responses. 

30. (Original) The method as in Claim 25 wherein said current state comprises 
any outbound connection from said target is following a detected signature. 

3L (Original) The method as in Claim 25 wherein said current state comprises 
an inbound connection to anew port following a detected signature. 

32. (Previously Presented) The method as in Claim 25 monitoring said current 
state comprises: 

profiling said target to determine which ports are open by passively listening to 
what traffic succeeds in talking to/from the target. 

33. (Previously Presented) The method as in Claim 25 monitoring said current 
state comprises: 

detecting non-protocol requests or responses transmitted to/from said target, 

34. (Original) The method as in Claim 25 further comprising: 
determining a fingerprint of said target; and 

further evaluating a likelihood that said target is under attack based on said 

fingerprint. 

35. (Original) The method as in Claim 26 wherein said known protocol is HTTP 

36. (Original) The method as in Claim 26 wherein said known protocol is RPC, 
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37. (Currently Amended) A machine-readable medium having program code 
stored thereon which, when executed by a machine, causes said machine to perform the 
operations of: 

identifying a plurality of data signatures releva nt to computer security; 

designating a relative alert condition value to each data signa ture based on each 
data signature itself and contextual information associa ted with the data signature, the contextual 
information comprising at least one of an application layer data field type used to enc apsulate the 
data signature and an application layer protocol tvpe used to transmit the data signature, the 
relative alert condition value indicati n g a security risk level r elative to different data signatures 
and relative to other identical data signatures associated with d ifferent contextual information; 

creating a table comprising the contextual information, the data signatures, and 
the relative alert condition values; 

detecting a data signature by evaluating communications at an application layer 

level between a target and a suspect; 

correlating said data signature with a fingerprint of the target to determine to what 
extent said target is vulnerable to said data signature; and 

evaluating contextual information related to the data signature by comparing the 
contextual information and the data signature to the table in order to determine a likelihood that 
said target is under attac k, the contextual information comprioing at least ono of an application 
lay e r data fiold typ e usod to onoapoulato tho data pignaturo and on applioation layor protocol typ e 
usod to transmit th e- data signatur e; and 

assigning a[[n]] relative alert condition value to the data signature based on the 
comparison of the contextual information and data signature to data in the table. 

38. (Original) The machine-readable medium as in Claim 37 further comprising 
program code to cause said machine to perform the operations of: 

evaluating contextual information related to said data signature to determine a 
likelihood that said target is under attack. 

39. (Original) The machine-readable medium as in Claim 37 wherein said 
fingerprint includes said target node's operating system version. 
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40. (Original) The machine-readable medium as in Claim 37 wherein said 
fingerprint includes said target node's processor type. 

41. (Cancelled.) 

42. (Original) The machine-readable medium as in Claim 37 further comprising 
program code to cause said machine to perform the operations of: 

generating a first alert condition upon determining that said target node is 
vulnerable to said data signature. 

43. (Original) The machine-readable medium as in Claim 37 further comprising 
program code to cause said machine to perform the operations of: 

listening for a response to said data signature from said target. 

44. (Original) The machine-readable medium as in Claim 43 further comprising 
program code to cause said machine to perform the operations of: 

determining whether said target node's response or lack of a response is 

suspicious. 

45. (Original) The machine-readable medium as in Claim 44 wherein 
determining whether said targets response is suspicious comprises determining whether said 
target's response is an "unknown command" response. 

46. (Original) The machine-readable medium as in Claim 44 further comprising 
program code to cause said machine to perform the operations of: 

generating a second alert condition upon determining that said target node's 
response or lack of a response is suspicious 
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47. (Original) The machine-readable medium as in Claim 46 further comprising 
program code to cause said machine to perform the operations of: 

combining the second alert with the first, thereby updating the first alert with 
information within the second alert. 

48. (Original) The machine-readable medium as in Claim 37 further comprising 
program code to cause said machine to perform the operations of: 

listening for behavior of said target node; and 

generating a second alert condition upon determining that said target node's 
behavior is suspicious. 

49. (Original) The machine-readable medium as in Claim 47 wherein said target 
node's suspicious behavior comprises transmitting a root shell prompt to a suspect node. 



[The remainder of this page has been intentionally left blank.] 
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50. (Currently Amended) A machine-readable medium having program code 
stored thereon which, when executed by a machine, causes said machine to perform the 
operations of; 

identifying a plurality of data signatures relevant to c omputer security: 

designating an alert condition value to each data signature ba sed on each data 
signature itself and contextual information associated with the d ata signature, the contextual 
information comprising at least one of an application layer data field t ype used to encapsulate the 
data signature and an application layer protocol type used to transmit the da ta signature, the alert 
condition value indicating a security risk level relative to different data signatures and relative to 
other identical data signatures associated with different contextual info rmation: 

creating a table comprising the data signatures , the contextual information, and 
the alert condition values providod in oont e xt ; 

identifying a data signature encapsulated in an application layer data field directed 
at a target using an application layer protocol; 

evaluating a context of the data signature by one of; 

reviewing the application layer data field type; 
reviewing the application layer protocol type; and 

comparing the evaluated context of the data signature to the table; 

determining whether said data signature poses a threat based on said context of 
said data signature; and 

assigning an alert condition value to the data signature based on the comparison 
of the context to data in the table. 

51. (Cancelled.) 

52. (Previously Presented) The machine-readable medium as in Claim 50 
wherein said protocol is the HyperText Transport Protocol ("HTTP"). 
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53. (Original) The machine-readable medium as in Claim 52 further comprising 
program code to cause said machine to perform the operations of: 

determining that said data signature poses a threat if said data signature is "Icgi- 
bin/phf ' embedded in the header of said HTTP data transmission. 

54. (Original) The machine-readable medium as in Claim 50 further comprising 
program code to cause said machine to perform the operations of: 

further evaluating whether said data signature poses a threat based on a fingerprint 

of said target. 

55. (Original) The machine-readable medium as in Claim 54 wherein said 
fingerprint is comprised of a particular service executed on said target. 



[The remainder of this page has been intentionally left blank.] 
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56. (Currently Amended) A machine-readable medium having program code 
stored thereon which, when executed by a machine, causes said machine to perform the 
operations of: 

identifying a plurality of data signatures relevant to comp uter security: 

designating a relative alert condition value to each dat a signature based on each 
data si gnature itself and contextual information associated with the data signature, the contextual 
infoimation comprising at least one of an application layer data field type used to encapsulate the 
data signature and an application layer protocol type used to transmit t he data signature, the 
relative alert condition value indicating a security risk level relative to different d ata signatures 
and relative to other identical data signatures associated with different contextua l information; 

creating a table comprising the contextual information, the data signatures, and 
the relative alert condition values; 

monitoring a plurality of data transmissions at an applications layer level between 
a suspect and a target to identify one or more data signatures, said data transmissions indicating a 
current state of communication between said suspect and said target; 

evaluating contextual information related to each data signature by comparing the 
contextual information and data signatures to the tabi c, tho contextual information oompricing at 
loast ono of an application layor data fi e ld typo usod to encapsulate a roopectiv e data signatur e 
and an application layor protocol typ e us e d to transmit a rcop e otiv e data signature ; 

evaluating a likelihood that said target is under attack based on the contextual 
information of one or more data signatures of said transmissions and said current state of 
communication; and 

assigning a relative alert condition value to the data signature based on the 
comparison of the contextual information to data in the table, 

57. (Original) The machine-readable medium as in Claim 56 comprising 

program code to cause said machine to perform the additional operations of; 

monitoring responses from said target following said data signature; and 
determining a likelihood of whether said target is under attack based on data 

signatures of said responses. 
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